src/op_mode/show_nat_rules.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

#!/usr/bin/env python3
#
# Copyright (C) 2021 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import jmespath
import json

from argparse import ArgumentParser
from jinja2 import Template
from sys import exit
from vyos.util import cmd
from vyos.util import dict_search

parser = ArgumentParser()
group = parser.add_mutually_exclusive_group()
group.add_argument("--source", help="Show statistics for configured source NAT rules", action="store_true")
group.add_argument("--destination", help="Show statistics for configured destination NAT rules", action="store_true")
args = parser.parse_args()

if args.source or args.destination:
    tmp = cmd('sudo nft -j list table ip nat')
    tmp = json.loads(tmp)

    format_nat_rule = '{0: <10} {1: <50} {2: <50} {3: <10}'
    print(format_nat_rule.format("Rule", "Source" if args.source else "Destination", "Translation", "Outbound Interface" if args.source else "Inbound Interface"))
    print(format_nat_rule.format("----", "------" if args.source else "-----------", "-----------", "------------------" if args.source else "-----------------"))

    data_json = jmespath.search('nftables[?rule].rule[?chain]', tmp)
    for idx in range(0, len(data_json)):
        data = data_json[idx]

        # The following key values must exist
        # When the rule JSON does not have some keys, this is not a rule we can work with
        continue_rule = False
        for key in ['comment', 'chain', 'expr']:
            if key not in data:
                continue_rule = True
                continue
        if continue_rule:
            continue

        comment = data['comment']

        # Check the annotation to see if the annotation format is created by VYOS
        continue_rule = True
        for comment_prefix in ['SRC-NAT-', 'DST-NAT-']:
            if comment_prefix in comment:
                continue_rule = False
        if continue_rule:
            continue

        rule = int(''.join(list(filter(str.isdigit, comment))))
        chain = data['chain']
        if not ((args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING')):
            continue
        interface = dict_search('match.right', data['expr'][0])
        srcdest = ''
        srcdests = []
        tran_addr = ''
        for i in range(1,len(data['expr']) ):
            srcdest_json = dict_search('match.right', data['expr'][i])
            if srcdest_json:
                if isinstance(srcdest_json,str):
                    if srcdest != '':
                        srcdests.append(srcdest)
                        srcdest = ''
                    srcdest = srcdest_json + ' '
                elif 'prefix' in srcdest_json:
                    addr_tmp = dict_search('match.right.prefix.addr', data['expr'][i])
                    len_tmp = dict_search('match.right.prefix.len', data['expr'][i])
                    if addr_tmp and len_tmp:
                        srcdest = addr_tmp + '/' + str(len_tmp) + ' '
                elif 'set' in srcdest_json:
                    if isinstance(srcdest_json['set'][0],int):
                        srcdest += 'port ' + str(srcdest_json['set'][0]) + ' '
                    else:
                        port_range = srcdest_json['set'][0]['range']
                        srcdest += 'port ' + str(port_range[0]) + '-' + str(port_range[1]) + ' '

            tran_addr_json = dict_search('snat' if args.source else 'dnat', data['expr'][i])
            if tran_addr_json:
                if isinstance(tran_addr_json['addr'],str):
                    tran_addr += tran_addr_json['addr'] + ' '
                elif 'prefix' in tran_addr_json['addr']:
                    addr_tmp = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3])
                    len_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3])
                    if addr_tmp and len_tmp:
                        tran_addr += addr_tmp + '/' + str(len_tmp) + ' '

                if isinstance(tran_addr_json['port'],int):
                    tran_addr += 'port ' + str(tran_addr_json['port'])

            else:
                if 'masquerade' in data['expr'][i]:
                    tran_addr = 'masquerade'
                elif 'log' in data['expr'][i]:
                    continue

        if srcdest != '':
            srcdests.append(srcdest)
            srcdest = ''
        print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))

        for i in range(1, len(srcdests)):
            print(format_nat_rule.format(' ', srcdests[i], ' ', ' '))

    exit(0)
else:
    parser.print_help()
    exit(1)